Renseignement sur les menaces

R.A.S. chinoise de Hong Kong

152.32.215.244

FAI UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED Première vue 01/01/2026 18:29 UTC Dernière vue 20/06/2026 20:24 UTC Risque Critique

Période analysée : 2026-05-21 → 2026-06-20

Activité suspecte · risque 44/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

100

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 01/01/2026 18:29 UTC

Dernière observation 20/06/2026 20:24 UTC

Événements (période) 217

MITRE ATT&CK principal T1595 69 occurrences

Activité suspecte · risque 44/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_probe » (signaux protocolaires) · confiance 50%

Confiance 58 % — Score WAF 8 · Bonus corrélation +8

Comparaison ASN / FAI

ASN 135377 · 152.32.215.0/24 · APNIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 217 événements sur la période pour cette IP.

165.154.134.156 Sonde port 20/06/2026 23:24 UTC
118.194.251.37 Sonde port 20/06/2026 23:23 UTC
103.218.240.78 Sonde RDP 20/06/2026 23:22 UTC
104.218.164.229 Sonde RDP 20/06/2026 23:16 UTC
152.32.129.136 Sonde RDP 20/06/2026 23:13 UTC
123.58.215.102 Tentative d'exploit 20/06/2026 23:12 UTC
118.193.57.62 Sonde port 20/06/2026 23:11 UTC
152.32.215.252 Sonde RDP 20/06/2026 23:10 UTC

Événements (filtres)

217

Première observation

01/01/2026 18:29 UTC

Dernière observation

20/06/2026 20:24 UTC

Dernière activité (filtres)

20/06/2026 20:24 UTC

Événements 7j

111

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 158 TLS TCP 28 HTTPS TCP 3

HTTP

158

TLS

HTTPS

Géolocalisation

Origine réseau déclarée

R.A.S. chinoise de Hong Kong unknown unknown

FAI / réseau

Opérateur et dernière activité ban

UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED 946 Port 3383 port_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

Sonde port · port 3383 · (sonde / probe)

Détails protocole

Aperçu payload

t3 12.1.2 AS:2048 HL:19

Port / service

3383

Raison confiance

Confiance modérée (50 %) — signal principal unique

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

Fp Port Probe Noise Single Port

Confiance

58% Corrélation +8

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

217 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

217 événement(s) — page 2/5

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 21:06:13 UTC	TCP	6147 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:6147 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6147 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:6147 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "bcf90fd8e43b95ee834469559507432f01c4d9f0", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.941893094593416, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 6147, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "622f289ac9eb15e1cb604792991de289640be2b9", "event_fingerprint": "c796d247d4597bb7ab7f188d5f46279e1ee59d44", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "37de33c132d7582e5ae121dcfcfc9345", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 6147, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6147\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6147\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6147\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6147\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6147\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "22f39e09d1f709bb3b74c6f9d4282c3249fd3cbf", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6147, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6147\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:6147 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "6147 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6147, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6147, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:6147 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6147\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "6147 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6147" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
17/06/2026 15:09:56 UTC	TCP	319 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:319 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 319 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:319 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "3c7b7933d3fc2444ef1405c9cfa958832f822415", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.948103561728229, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 319, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "f34e0db0bdaa1e334457741092f2c83d615dd5a0", "event_fingerprint": "afa23f606550af53dfcb415297f9a146e9e7080f", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "6250855ef794c8791b77ee09428aa298", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 319, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ff2691940114e0752a54553f15be5bc087d0a3f6", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 319, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:319 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "319 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 319, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 319, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:319 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "319 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "319" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
17/06/2026 15:09:56 UTC	TCP	319 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:319 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 319 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:319 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "3c7b7933d3fc2444ef1405c9cfa958832f822415", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 124, "payload_entropy": 4.88832335565489, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 319, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "f34e0db0bdaa1e334457741092f2c83d615dd5a0", "event_fingerprint": "58f127a5aee5f846ceffd5ca5219e63963b55936", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "5a648782f6afee322a5c9541971c9d5c", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 319, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "99e03299fc0c53fd3536393ed5cee23800d47280", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 319, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:319 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "319 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 319, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 319, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:319 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "319 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "319" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
17/06/2026 15:09:55 UTC	TCP	319 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:319 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/590.35 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 319 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 44 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/590.35 (KHTML, like Gecko) Chrome/107.0.2767 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:319 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/590.35 (KHTML, like Gecko) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:319 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/590.35 (KHTML, like Gecko) Chrome/107.0.2767 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "1d186425a53c3d295b728319ac254739f1bfe77f", "http_host_hash": "3c7b7933d3fc2444ef1405c9cfa958832f822415", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 198, "payload_entropy": 5.430412293382514, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 319, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6f5297e0d82cb46e6980f3b5b31278dd147a8871", "event_fingerprint": "50c104ba073f579198ca08e7c5a10007388fc2c2", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7159da62626b1f21a516ec5c5b8eb38a", "payload_hash": "6d25ae50e06b973f0b77ea52d2d697bc", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 319, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/590.35 (KHTML, like Gecko) Chrome\/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/590.35 (KHTML, like Gecko) Chrome\/107.0.2767 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/590.35 (KHTML, like Gecko) Chrome\/107.0.2767 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/590.35 (KHTML, like Gecko) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/590.35 (KHTML, like Gecko) Chrome\/107.0.2767 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/590.35 (KHTML, like Gecko) Chrome\/107.0.2767 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/590.35 (KHTML, like Gecko) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4588bfd640c501e2006a430ff02def5da9287759", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/590.35 (KHTML, like Gecko) Chrome\/107.0.2767 Safari\/537.36", "port": 319, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/590.35 (KHTML, like Gecko) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:319 \u00b7 (tentative d'exploit)", "target_port_label": "319 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 319, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/590.35 (KHTML, like Gecko) Chrome\/107.0.2767 Safari\/537.36", "port": 319, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:319 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/590.35 (KHTML, like Gecko) Chrome\/", "target_port_label": "319 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "319" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
17/06/2026 15:09:55 UTC	TCP	319 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:319 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 319 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:319 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "3c7b7933d3fc2444ef1405c9cfa958832f822415", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.904153461141642, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 319, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "f34e0db0bdaa1e334457741092f2c83d615dd5a0", "event_fingerprint": "e0bc23a77073e9869e9af6eb77e6eb19bf7b71a2", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "fdb41db356f6fe4cf312980a9289a5f5", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 319, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "489e876121cdfa8899fb40be4e4fcfb39e85b8ea", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 319, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:319 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "319 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 319, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 319, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:319 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:319\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "319 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "319" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
16/06/2026 23:14:36 UTC	TCP	2671 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:2671 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2671 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:2671 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "1b48b39fc2b28655f038acd1a645675c86606f43", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.926020078720399, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2671, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "b1036f421b59775c45ddeccea29ca0bde1af1ffb", "event_fingerprint": "aa51ea3e7e35768d957f5ed012f24495052f01b9", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "0d751582025118425d5669e40c296c22", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 2671, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "06e7ff4ea1216ec943a0d0aa53522703abd4857d", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2671, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:2671 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "2671 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2671, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2671, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:2671 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "2671 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2671" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
16/06/2026 23:14:36 UTC	TCP	2671 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:2671 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2671 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:2671 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "1b48b39fc2b28655f038acd1a645675c86606f43", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.910399213550654, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2671, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "b1036f421b59775c45ddeccea29ca0bde1af1ffb", "event_fingerprint": "a4b850a4ee4dc3553efd8a655a77fcf6bc2fdcc3", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "6099b1906576018863b510f04b1d2559", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 2671, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "741e25b23ae2a52106d3c39387db30bdcb86848f", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2671, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:2671 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "2671 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2671, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2671, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:2671 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "2671 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2671" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 23:14:36 UTC	TCP	2671 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:2671 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2671 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:2671 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "1b48b39fc2b28655f038acd1a645675c86606f43", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.969621368984871, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2671, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "b1036f421b59775c45ddeccea29ca0bde1af1ffb", "event_fingerprint": "f17bb85a086fdab8be15bc9bf8f444630d71708f", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "7464a0d813660c4d314866a4da9ce31e", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 2671, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2307aecce3032244683f96ce37bee06c7cc90866", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2671, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:2671 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "2671 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2671, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2671, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:2671 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "2671 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2671" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 23:14:35 UTC	TCP	2671 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:2671 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit/545.4… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2671 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 44 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit/545.40 (KHTML, like Gecko) Chrome/89.0.2643 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2671 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit/545.40 (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2671 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit/545.40 (KHTML, like Gecko) Chrome/89.0.2643 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d9fb339cab18d8b7b138f000c1853c24b9e9d558", "http_host_hash": "1b48b39fc2b28655f038acd1a645675c86606f43", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.414999255300463, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2671, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "50a8dce85b4e18075f99a7743c1845f689ae082d", "event_fingerprint": "a086289c10f14cf49f350de7d194e841fb1b7a6d", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "af297fdb32d0e704ac4dc33a0d0af89c", "payload_hash": "5078ef932bb3967513be964cf798a255", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2671, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit\/545.40 (KHTML, like", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit\/545.40 (KHTML, like Gecko) Chrome\/89.0.2643 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit\/545.40 (KHTML, like Gecko) Chrome\/89.0.2643 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit\/545.40 (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit\/545.40 (KHTML, like Gecko) Chrome\/89.0.2643 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit\/545.40 (KHTML, like Gecko) Chrome\/89.0.2643 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit\/545.40 (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "565a81c7f529dd9ae90fe28328d31396e3e130e9", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit\/545.40 (KHTML, like Gecko) Chrome\/89.0.2643 Safari\/537.36", "port": 2671, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit\/545.40 (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:2671 \u00b7 (tentative d'exploit)", "target_port_label": "2671 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2671, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit\/545.40 (KHTML, like Gecko) Chrome\/89.0.2643 Safari\/537.36", "port": 2671, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:2671 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2671\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_1) AppleWebKit\/545.40 (KHTML, like", "target_port_label": "2671 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2671" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 15:52:04 UTC	TCP	10990 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:10990 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10990 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:10990 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "4f3faeecaa35a428b5b8793e33b8a43926162392", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.931884466737656, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 10990, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "c8e6a23238822d7688cef0d593c4b6747a827757", "event_fingerprint": "fb657762d0b4be77c1d128c1a1f7710355969e86", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "a5ee5c58629a6905c31c2767c09282c4", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 10990, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "63eed96da53a85641572f2b2f6b985efb5423dba", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10990, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:10990 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "10990 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10990, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10990, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:10990 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "10990 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10990" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
16/06/2026 15:52:04 UTC	TCP	10990 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:10990 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10990 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:10990 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "4f3faeecaa35a428b5b8793e33b8a43926162392", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.975142439755949, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 10990, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "c8e6a23238822d7688cef0d593c4b6747a827757", "event_fingerprint": "c056e98eb64d5b8b15eebba89eabe9ea3a28aa2d", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "2c56f7935364ec2b84b1f7706f0755da", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 10990, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5ecd79fffa9844493e5160e1f80d478238251a9b", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10990, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:10990 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "10990 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10990, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10990, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:10990 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "10990 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10990" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 15:52:04 UTC	TCP	10990 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:10990 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10990 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:10990 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "4f3faeecaa35a428b5b8793e33b8a43926162392", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.91634324579283, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 10990, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "c8e6a23238822d7688cef0d593c4b6747a827757", "event_fingerprint": "5677a881bfffb78e6b8dd00b52096bd829d65a18", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "165035496354c25c8e7a49f57f7b1637", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 10990, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0c97fc5530d12a8bc19b556343f6ade403df69a6", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10990, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:10990 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "10990 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10990, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10990, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:10990 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "10990 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10990" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 15:52:03 UTC	TCP	10990 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:10990 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/540.45 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10990 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/540.45 (KHTML, like Gecko) Chrome/65.0.849 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10990 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/540.45 (KHTML, like Gecko) Chrom Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10990 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/540.45 (KHTML, like Gecko) Chrome/65.0.849 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d7c551ed5dd811813b0d29aa7b1b6c220afe20df", "http_host_hash": "4f3faeecaa35a428b5b8793e33b8a43926162392", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 198, "payload_entropy": 5.4374164446346, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 10990, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "38dbf597d4815926dff95a9abfc824c6d66566f3", "event_fingerprint": "08c37b790773d44827b549ca2ba30d9026ff4473", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "43a17ba40fc05d89425ff93faead7a44", "payload_hash": "eea2a6848d39380fd024743ed27f1933", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 10990, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/540.45 (KHTML, like Gecko) Chrom", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/540.45 (KHTML, like Gecko) Chrome\/65.0.849 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/540.45 (KHTML, like Gecko) Chrome\/65.0.849 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/540.45 (KHTML, like Gecko) Chrom", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/540.45 (KHTML, like Gecko) Chrome\/65.0.849 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/540.45 (KHTML, like Gecko) Chrome\/65.0.849 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/540.45 (KHTML, like Gecko) Chrom", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e11061f30167da38b1607851ea849b2d4f623828", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/540.45 (KHTML, like Gecko) Chrome\/65.0.849 Safari\/537.36", "port": 10990, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/540.45 (KHTML, like Gecko) Chrom", "attack_vector": "exploit attempt \u00b7 via HTTP:10990 \u00b7 (tentative d'exploit)", "target_port_label": "10990 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10990, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/540.45 (KHTML, like Gecko) Chrome\/65.0.849 Safari\/537.36", "port": 10990, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:10990 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/540.45 (KHTML, like Gecko) Chrom", "target_port_label": "10990 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10990" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 12:32:04 UTC	TCP	283	—	Sonde port Sonde port · port 283 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 283 Chemin / cible — Payload t3 12.1.2 AS:2048 HL:19 Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) t3 12.1.2 AS:2048 HL:19 Meta JSON brut { "bytes_in": 25, "payload_entropy": 3.7834651896016456, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "HK", "dst_port": 283, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.6, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "e217a0d0d366a841c4603d9e15387f9b260675db", "event_fingerprint": "b749be5687a126ddac5d4dc4a16ee70f624700cd", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 283, "risk_score": 44 }, "payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n", "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "evidence": { "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8649099da35cf6dde9dc5a8e1c38b73c68d8a151", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 283 }, "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "attack_vector": "Sonde port \u00b7 port 283 \u00b7 (sonde \/ probe)", "target_port_label": "283", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 283, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 283 }, "attack_vector": "Sonde port \u00b7 port 283 \u00b7 (sonde \/ probe)", "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "target_port_label": "283", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "283" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:283", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
16/06/2026 12:32:03 UTC	TCP	283 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:283 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 9460af62ae0af667 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 283 Chemin / cible — Service TLS Payload ��a��B(��!+�O��j̵�� 3o0Rx鹟]�M�Ҭ��Q�#�S}�ݨ�Jz?&�+�/�,�0̨̩� �� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��a��B(��!+�O��j̵�� 3o0Rx鹟]�M�Ҭ��Q�#�S}�ݨ�Jz?&�+�/�,�0̨̩� �� /5� � Requête brute (extrait) ��a��B(��!+�O��j̵�� 3o0Rx鹟]�M�Ҭ��Q�#�S}�ݨ�Jz?&�+�/�,�0̨̩� �� /5� � + 3&$ ?��Xrz��Q�\|��?�+Z�٣y3�o Meta JSON brut { "tls_ja3_hash": "9460af62ae0af667130bf0d36514f084", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 247, "payload_entropy": 5.8225183730389265, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "tls", "app_proto": "tls", "asn": 135377, "country": "HK", "dst_port": 283, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "93bc004ed328a9a724f2d72ad7d02f9cc7f2e074", "event_fingerprint": "0326313022627cee30ac7f3edd64b7a6c0b18924", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "9460af62ae0af667130bf0d36514f084", "payload_hash": "23c8f70cd131b80337e297f1dc53ba48", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "9d78dfefabcee3ee16297d72e4cafc86", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0", "tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86", "tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 283, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003a\ufffd\ufffd\ufffdB(\ufffd\ufffd!+\u0011\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\u001e\ufffdj\u0335\u0004\ufffd\ufffd\u001f\ufffd\ufffd\u0003\ufffd\ufffd \ufffd3o\u001c0Rx\u9e5f]\ufffdM\ufffd\u04ac\ufffd\ufffdQ\ufffd#\ufffdS}\ufffd\u001e\u0768\ufffdJz?\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003a\ufffd\ufffd\ufffdB(\ufffd\ufffd!+\u0011\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\u001e\ufffdj\u0335\u0004\ufffd\ufffd\u001f\ufffd\ufffd\u0003\ufffd\ufffd \ufffd3o\u001c0Rx\u9e5f]\ufffdM\ufffd\u04ac\ufffd\ufffdQ\ufffd#\ufffdS}\ufffd\u001e\u0768\ufffdJz?\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 ?\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\ufffdXrz\ufffd\ufffdQ\ufffd\|\ufffd\ufffd\ufffd?\ufffd+Z\ufffd\u0663\u001dy3\ufffdo", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003a\ufffd\ufffd\ufffdB(\ufffd\ufffd!+\u0011\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\u001e\ufffdj\u0335\u0004\ufffd\ufffd\u001f\ufffd\ufffd\u0003\ufffd\ufffd \ufffd3o\u001c0Rx\u9e5f]\ufffdM\ufffd\u04ac\ufffd\ufffdQ\ufffd#\ufffdS}\ufffd\u001e\u0768\ufffdJz?\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "21554de4e9ce31f7f769f255a693a59a2ff2f100", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003a\ufffd\ufffd\ufffdB(\ufffd\ufffd!+\u0011\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\u001e\ufffdj\u0335\u0004\ufffd\ufffd\u001f\ufffd\ufffd\u0003\ufffd\ufffd \ufffd3o\u001c0Rx\u9e5f]\ufffdM\ufffd\u04ac\ufffd\ufffdQ\ufffd#\ufffdS}\ufffd\u001e\u0768\ufffdJz?\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 283, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffda\ufffd\ufffd\ufffdB(\ufffd\ufffd!+\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj\u0335\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd3o0Rx\u9e5f]\ufffdM\ufffd\u04ac\ufffd\ufffdQ\ufffd#\ufffdS}\ufffd\u0768\ufffdJz?&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:283 \u00b7 (sonde \/ probe)", "target_port_label": "283 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 283, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003a\ufffd\ufffd\ufffdB(\ufffd\ufffd!+\u0011\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\u001e\ufffdj\u0335\u0004\ufffd\ufffd\u001f\ufffd\ufffd\u0003\ufffd\ufffd \ufffd3o\u001c0Rx\u9e5f]\ufffdM\ufffd\u04ac\ufffd\ufffdQ\ufffd#\ufffdS}\ufffd\u001e\u0768\ufffdJz?\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 283, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:283 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffda\ufffd\ufffd\ufffdB(\ufffd\ufffd!+\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj\u0335\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd3o0Rx\u9e5f]\ufffdM\ufffd\u04ac\ufffd\ufffdQ\ufffd#\ufffdS}\ufffd\u0768\ufffdJz?&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "283 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "283" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:283", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
16/06/2026 12:32:02 UTC	TCP	283 · HTTP	http	Sonde port 283/TCP port 283 tcp · via HTTP:283 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.29.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua botnet_http_ua_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 283 Chemin / cible / Preuve honeypot — Sonde port 283/TCP Connexion détectée sur le port 283 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_283_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.29.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: 62.3.50.33 Accept: / Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 74, "payload_entropy": 4.819344967782759, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 283, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 1, "campaign_key": "8995ef1f18833a8c02bc54394438c522e06686cd", "event_fingerprint": "d391a909c66c5505efc22282a1521afbd4850b34", "classification_reason": "Type \u00ab port_283_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161", "payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 283, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "classification_reason": "Type \u00ab port_283_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a604c4dc4db5bf364c8c9a55ecb989264693af60", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 283, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "attack_vector": "port 283 tcp \u00b7 via HTTP:283 \u00b7 (sonde \/ probe)", "target_port_label": "283 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_283_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_283_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 283, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 283, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 283 tcp \u00b7 via HTTP:283 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "target_port_label": "283 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "283" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:283" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "botnet_http_ua_host", "http_ua_suspicious", "scanner-ua" ] }
16/06/2026 12:31:57 UTC	TCP	283	—	Sonde port Sonde port · port 283 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 283 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "HK", "dst_port": 283, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.6, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "e217a0d0d366a841c4603d9e15387f9b260675db", "event_fingerprint": "b749be5687a126ddac5d4dc4a16ee70f624700cd", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 283, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2958bfb92a6b6b14e810934466c59104ada4a1f4", "protocol_details": { "port": 283 }, "attack_vector": "Sonde port \u00b7 port 283 \u00b7 (sonde \/ probe)", "target_port_label": "283", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 283, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 283 }, "attack_vector": "Sonde port \u00b7 port 283 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "283", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "283" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
16/06/2026 11:54:48 UTC	TCP	4176 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:4176 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4176 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:4176 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "3fb4be68b11af688c93162dec6bdfc410b0d6864", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.985494384857888, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 4176, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "5fa7e39daf997dce6a79cd6654afed0d1474cdca", "event_fingerprint": "eb436d75a1fe264b1c7e77e655a6494a27b1ab36", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "f91bbd96e9b001ee0bc8330092af7845", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 4176, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e82dc7d7bfc8fa71d5416e9bd3eed4d119c3e3ff", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4176, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:4176 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "4176 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4176, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4176, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:4176 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "4176 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4176" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 11:54:48 UTC	TCP	4176 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:4176 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4176 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:4176 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "3fb4be68b11af688c93162dec6bdfc410b0d6864", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.926399213550654, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 4176, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "5fa7e39daf997dce6a79cd6654afed0d1474cdca", "event_fingerprint": "06fbba209876591d22f98750288d7bd8332fce3d", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "bbb0a168d73f625f47298ec2cad97e80", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 4176, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9691bec33aca7705ffceca6732484a2d7275ffe5", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4176, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:4176 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "4176 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4176, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4176, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:4176 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "4176 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4176" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 11:54:47 UTC	TCP	4176 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4176 · (tentative d'exploit)	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit/562.4… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4176 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit/562.47 (KHTML, like Gecko) Chrome/63.0.243 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4176 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit/562.47 (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4176 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit/562.47 (KHTML, like Gecko) Chrome/63.0.243 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "386806da08a14ab8e9535c39dd88952e64d469d5", "http_host_hash": "3fb4be68b11af688c93162dec6bdfc410b0d6864", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.391116957799593, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 4176, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "32251989e9eb28eb32a5e8cc7d7e25599d8e9df7", "event_fingerprint": "5b758c62af97f1a0e86c0ff8f640063a513a0157", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd045d41f7bb5fc01ff42b44ccbab2b2", "payload_hash": "df7958e4f048853eff8b59a96d4096aa", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 4176, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit\/562.47 (KHTML, like", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit\/562.47 (KHTML, like Gecko) Chrome\/63.0.243 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit\/562.47 (KHTML, like Gecko) Chrome\/63.0.243 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit\/562.47 (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit\/562.47 (KHTML, like Gecko) Chrome\/63.0.243 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit\/562.47 (KHTML, like Gecko) Chrome\/63.0.243 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit\/562.47 (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dd05dc16443baecad208713dd699a03a1973c8ff", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit\/562.47 (KHTML, like Gecko) Chrome\/63.0.243 Safari\/537.36", "port": 4176, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit\/562.47 (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:4176 \u00b7 (tentative d'exploit)", "target_port_label": "4176 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4176, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit\/562.47 (KHTML, like Gecko) Chrome\/63.0.243 Safari\/537.36", "port": 4176, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4176 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_1_2) AppleWebKit\/562.47 (KHTML, like", "target_port_label": "4176 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4176" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 11:54:47 UTC	TCP	4176 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:4176 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4176 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:4176 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "3fb4be68b11af688c93162dec6bdfc410b0d6864", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.941893094593416, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 4176, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "5fa7e39daf997dce6a79cd6654afed0d1474cdca", "event_fingerprint": "6d4491a5f400533be2516c4813256607877dbf74", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "e643ebb5092820c9889f2142ae0a6bc2", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 4176, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a9db38f092d30d86e44eca85e6fdf6eb233d41ee", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4176, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:4176 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "4176 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4176, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4176, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:4176 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4176\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "4176 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4176" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 08:44:51 UTC	TCP	439 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:439 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 439 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:439 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "40445650f964514b0d49315abf50fcf7bd91a306", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.933030584937137, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 439, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "cd1fa97dbb0a4ded4db2aec410bdecaee69cb9dd", "event_fingerprint": "d9f05c3f43dafea67e17212505237e6143988594", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "f6c498cdd29f1be56a663010e7b5a716", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 439, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0233d601bc6df07299c90da2e6f0cd1438446587", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 439, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:439 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "439 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 439, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 439, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:439 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "439 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "439" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 08:44:51 UTC	TCP	439 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:439 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 439 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:439 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "40445650f964514b0d49315abf50fcf7bd91a306", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 124, "payload_entropy": 4.917433359480994, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 439, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "cd1fa97dbb0a4ded4db2aec410bdecaee69cb9dd", "event_fingerprint": "4f4ad31e8eeb93f4ea24e97fd2192e10bea36674", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "61191ffa9f17767d8e853e54c9ac02b3", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 439, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "021d71f2a8bf7d9b87bd292513f9577a32297dd5", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 439, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:439 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "439 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 439, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 439, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:439 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "439 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "439" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 08:44:51 UTC	TCP	439 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:439 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 439 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:439 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "40445650f964514b0d49315abf50fcf7bd91a306", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.976980685523724, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 439, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "cd1fa97dbb0a4ded4db2aec410bdecaee69cb9dd", "event_fingerprint": "87888e683cb894125b17ee94b14bc92f4ed0fcc5", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "cf8e3c03a7e989536c2b2b0e55dd58fe", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 439, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7d72f486ee6e657dfe25c0bab8a3d24a48b04a3f", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 439, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:439 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "439 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 439, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 439, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:439 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "439 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "439" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 08:44:50 UTC	TCP	439 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:439 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/553.43 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 439 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 44 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/553.43 (KHTML, like Gecko) Chrome/65.0.1877 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:439 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/553.43 (KHTML, like Gecko) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:439 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/553.43 (KHTML, like Gecko) Chrome/65.0.1877 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "27e8898c9041aa4c4620d636075f3a1ccbdf475e", "http_host_hash": "40445650f964514b0d49315abf50fcf7bd91a306", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.42715580796563, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 439, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "25701709027c82716644eef4b3f0a0576a42990a", "event_fingerprint": "38fdd670d7407bc61a39d1f79b7d9c46e3f4ce4d", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "406cec2164d6b6cf17f3912e913b4f8b", "payload_hash": "b25f5dc171c67899869c90096588a929", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 439, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/553.43 (KHTML, like Gecko) Chrome\/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/553.43 (KHTML, like Gecko) Chrome\/65.0.1877 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/553.43 (KHTML, like Gecko) Chrome\/65.0.1877 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/553.43 (KHTML, like Gecko) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/553.43 (KHTML, like Gecko) Chrome\/65.0.1877 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/553.43 (KHTML, like Gecko) Chrome\/65.0.1877 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/553.43 (KHTML, like Gecko) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a60c6e395b1bd9906a2a8b04b0f3fa16d23d08cd", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/553.43 (KHTML, like Gecko) Chrome\/65.0.1877 Safari\/537.36", "port": 439, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/553.43 (KHTML, like Gecko) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:439 \u00b7 (tentative d'exploit)", "target_port_label": "439 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 439, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/553.43 (KHTML, like Gecko) Chrome\/65.0.1877 Safari\/537.36", "port": 439, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:439 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:439\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/553.43 (KHTML, like Gecko) Chrome\/", "target_port_label": "439 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "439" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 96 }
16/06/2026 08:38:24 UTC	TCP	5306 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:5306 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5306 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:5306 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "14de648430a2019d0f895440d58e0631d3205392", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.897315437363455, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 5306, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "96fe67a87a99a8390a958175f93088c18adf4059", "event_fingerprint": "044bc02920c77d53de0ad78a0a0a9e8f8ab8d2a3", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "28c216cd3013157bf21a7d509453b507", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 5306, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a72a88c88f9c07e007a928fc25360dff49f17f0", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 5306, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:5306 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "5306 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5306, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 5306, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:5306 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "5306 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5306" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 08:38:24 UTC	TCP	5306 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:5306 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5306 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:5306 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "14de648430a2019d0f895440d58e0631d3205392", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.956641432291222, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 5306, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "96fe67a87a99a8390a958175f93088c18adf4059", "event_fingerprint": "b0a699deaf3b2798a9781b7f3b78d924c62b427b", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "7b09da3a7b6332cef75c3a6eef1f4dbc", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 5306, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "56a349d39575de416a1664fd01bf504f6a5752f3", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 5306, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:5306 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "5306 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5306, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 5306, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:5306 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "5306 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5306" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 08:38:23 UTC	TCP	5306 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5306 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/543.52 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5306 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 44 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/543.52 (KHTML, like Gecko) Chrome/77.0.893 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5306 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/543.52 (KHTML, like Gecko) Chrome Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5306 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/543.52 (KHTML, like Gecko) Chrome/77.0.893 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "c6b79c5b4b63676e02ef2816b91faaec26a24b4b", "http_host_hash": "14de648430a2019d0f895440d58e0631d3205392", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.432838120040572, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 5306, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "562c064c426270f3db0dd77c9852975d50acbe34", "event_fingerprint": "a327c3574575f5b9769bd9882267275c07c7391a", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "738bd984e69a7e5ab9899b3b016c754f", "payload_hash": "07ad0586baa46d486920b05b6d1ad6ab", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5306, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/543.52 (KHTML, like Gecko) Chrome", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/543.52 (KHTML, like Gecko) Chrome\/77.0.893 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/543.52 (KHTML, like Gecko) Chrome\/77.0.893 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/543.52 (KHTML, like Gecko) Chrome", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/543.52 (KHTML, like Gecko) Chrome\/77.0.893 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/543.52 (KHTML, like Gecko) Chrome\/77.0.893 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/543.52 (KHTML, like Gecko) Chrome", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "881120047660c9f05f4b710ac26f559566e8daf5", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/543.52 (KHTML, like Gecko) Chrome\/77.0.893 Safari\/537.36", "port": 5306, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/543.52 (KHTML, like Gecko) Chrome", "attack_vector": "exploit attempt \u00b7 via HTTP:5306 \u00b7 (tentative d'exploit)", "target_port_label": "5306 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5306, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/543.52 (KHTML, like Gecko) Chrome\/77.0.893 Safari\/537.36", "port": 5306, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5306 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/543.52 (KHTML, like Gecko) Chrome", "target_port_label": "5306 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5306" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 08:38:23 UTC	TCP	5306 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:5306 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5306 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:5306 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "14de648430a2019d0f895440d58e0631d3205392", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.91304014202675, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 5306, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "96fe67a87a99a8390a958175f93088c18adf4059", "event_fingerprint": "fa56b23214ca00eabc0d74b4d00db64d186366b7", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "dc5ef261144610a6f244fc0996f0161b", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 5306, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7d7c785e93bba96f249a4a8f4b7e80c43fe966e4", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 5306, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:5306 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "5306 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5306, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 5306, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:5306 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5306\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "5306 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5306" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 05:37:51 UTC	TCP	1272 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1272 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1272 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:1272 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "35c5134577d7de00fbda554b0f20f50e67abc527", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.904360113533345, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1272, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "0c5f1da79babcb952fda80e20546d3fe61ef0ba7", "event_fingerprint": "da08b88202445a351835df5a105f65b995e34bce", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "74ac47698a91db4d67f6b94bf6c2df8b", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 1272, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c3e39726fd230cde36ae2087ee28f72bd05a2522", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1272, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1272 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "1272 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1272, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1272, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1272 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1272 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1272" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 05:37:50 UTC	TCP	1272 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1272 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1272 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:1272 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "35c5134577d7de00fbda554b0f20f50e67abc527", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.920028908068309, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1272, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "0c5f1da79babcb952fda80e20546d3fe61ef0ba7", "event_fingerprint": "301433338ab4f2dd4275ae5552c898f5f053b871", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "2d60ed920f2363953ceb43e115658d84", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 1272, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eb3a1b107056720e38442b5813cbea5607773b3a", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1272, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1272 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "1272 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1272, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1272, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1272 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1272 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1272" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 05:37:50 UTC	TCP	1272 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1272 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1272 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:1272 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "35c5134577d7de00fbda554b0f20f50e67abc527", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.963630198332781, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1272, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "0c5f1da79babcb952fda80e20546d3fe61ef0ba7", "event_fingerprint": "a2b065bc9ecdfeacd757c710ec8b3a6fc1eb0e35", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "db84826b6fee46d58ca303bbac4240c2", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 1272, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9003d3a3c65536a3073b7e28f01a2fe6066365fe", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1272, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1272 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "1272 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1272, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1272, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1272 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1272 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1272" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 05:37:49 UTC	TCP	1272 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:1272 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.44 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1272 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 43 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.44 (KHTML, like Gecko) Chrome/93.0.187 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1272 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.44 (KHTML, like Gecko) Chrome Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1272 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.44 (KHTML, like Gecko) Chrome/93.0.187 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "76ab1218dfb6260d37dda0f2746d0fdc36bf20c2", "http_host_hash": "35c5134577d7de00fbda554b0f20f50e67abc527", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.44526645006954, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1272, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.2, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 43, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8cc2da1f2f1406218af1da5381b75c2fa8b4081c", "event_fingerprint": "24293e8e2501f9de1a010568951d6ee1a2fe07b1", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d11e3f917eea4e03beb601c8cf2a8b17", "payload_hash": "6dfff789b52e9f90c9402294faeb02d0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1272, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.44 (KHTML, like Gecko) Chrome", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.44 (KHTML, like Gecko) Chrome\/93.0.187 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.44 (KHTML, like Gecko) Chrome\/93.0.187 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.44 (KHTML, like Gecko) Chrome", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.44 (KHTML, like Gecko) Chrome\/93.0.187 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.44 (KHTML, like Gecko) Chrome\/93.0.187 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.44 (KHTML, like Gecko) Chrome", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4aebd12954dd487f37477505dfb7b69f7b42e337", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.44 (KHTML, like Gecko) Chrome\/93.0.187 Safari\/537.36", "port": 1272, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.44 (KHTML, like Gecko) Chrome", "attack_vector": "exploit attempt \u00b7 via HTTP:1272 \u00b7 (tentative d'exploit)", "target_port_label": "1272 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1272, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.44 (KHTML, like Gecko) Chrome\/93.0.187 Safari\/537.36", "port": 1272, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:1272 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1272\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.44 (KHTML, like Gecko) Chrome", "target_port_label": "1272 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1272" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 02:09:32 UTC	TCP	1942 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1942 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1942 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:1942 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "79883d8ff1dccee70b43e2d5e80b45d6ecdddd0f", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.941893094593416, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1942, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "47aa8c18895315e41a9bf01188497d50d74a3917", "event_fingerprint": "149c065756e44f078e36021d05d6369950344699", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "42a726fe59ff17f81e1300a9f0123b61", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 1942, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "443ca2cd6a083ef1309946e472d91e8d4d20d5ab", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1942, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1942 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "1942 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1942, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1942, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1942 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1942 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1942" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 72 }
16/06/2026 02:09:32 UTC	TCP	1942 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1942 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1942 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:1942 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "79883d8ff1dccee70b43e2d5e80b45d6ecdddd0f", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.926399213550654, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1942, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "47aa8c18895315e41a9bf01188497d50d74a3917", "event_fingerprint": "76f332c82c64b08fc1a745690a36d481ea5184e2", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "e455397391385fc979b7dcabf44e2b21", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 1942, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ebbc16b2a47cdd6d7baec94cf91b3fe28433b8c2", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1942, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1942 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "1942 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1942, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1942, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1942 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1942 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1942" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 02:09:32 UTC	TCP	1942 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1942 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1942 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:1942 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "79883d8ff1dccee70b43e2d5e80b45d6ecdddd0f", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.985494384857888, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1942, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "47aa8c18895315e41a9bf01188497d50d74a3917", "event_fingerprint": "ed071300940b21225e7520a32f3607d514a548c1", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "c6cdac8a291292e29097409333a950da", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 1942, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e6bc5a2785933ed2ae369699409ecdf57946cc25", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1942, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1942 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "1942 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1942, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1942, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1942 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1942 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1942" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 02:09:31 UTC	TCP	1942 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:1942 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/600.47 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1942 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/600.47 (KHTML, like Gecko) Chrome/82.0.2045 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1942 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/600.47 (KHTML, like Gecko) Chrome Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1942 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/600.47 (KHTML, like Gecko) Chrome/82.0.2045 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "4975d3089102200a0be6b6f4be3b240c0508fdae", "http_host_hash": "79883d8ff1dccee70b43e2d5e80b45d6ecdddd0f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 198, "payload_entropy": 5.448854134061319, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1942, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7122991ebedef4bfcf61c7ad267e7a4f3966ad61", "event_fingerprint": "2046d18cfd706c345bacac2a3a1e88218d4ee5db", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "500c57923df641a09fbb4b99b350ed96", "payload_hash": "863b5bde458458b0169e623f33168f2c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1942, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/600.47 (KHTML, like Gecko) Chrome", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/600.47 (KHTML, like Gecko) Chrome\/82.0.2045 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/600.47 (KHTML, like Gecko) Chrome\/82.0.2045 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/600.47 (KHTML, like Gecko) Chrome", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/600.47 (KHTML, like Gecko) Chrome\/82.0.2045 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/600.47 (KHTML, like Gecko) Chrome\/82.0.2045 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/600.47 (KHTML, like Gecko) Chrome", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7933d46162d379e257d6603ae6a714cd97844d92", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/600.47 (KHTML, like Gecko) Chrome\/82.0.2045 Safari\/537.36", "port": 1942, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/600.47 (KHTML, like Gecko) Chrome", "attack_vector": "exploit attempt \u00b7 via HTTP:1942 \u00b7 (tentative d'exploit)", "target_port_label": "1942 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1942, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/600.47 (KHTML, like Gecko) Chrome\/82.0.2045 Safari\/537.36", "port": 1942, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:1942 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1942\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/600.47 (KHTML, like Gecko) Chrome", "target_port_label": "1942 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1942" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 22:58:47 UTC	TCP	18186 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:18186 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18186 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:18186 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "01d8e700b90009437a73bdf6ede39470141f91f0", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.907253983668016, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 18186, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "69beff53f058fdaecb305c8371bdfabfd6797450", "event_fingerprint": "133695262f040fe209b07904eb9a58f9dae23413", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "379fb6ab3737fc80a4b02b5723991492", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 18186, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "53d60799187bbb94a36bd3c44a09054ba80e458c", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 18186, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:18186 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "18186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18186, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 18186, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:18186 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "18186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18186" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 22:58:47 UTC	TCP	18186 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:18186 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18186 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:18186 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "01d8e700b90009437a73bdf6ede39470141f91f0", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.966124746624243, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 18186, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "69beff53f058fdaecb305c8371bdfabfd6797450", "event_fingerprint": "7c3623cdce973ca25c65f738527d4d68cf23175c", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "0e9cfb594e2222551f84e48a1dc21ad3", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 18186, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3e5334c12ad014994d8bfae935ffcf481843aa6c", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 18186, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:18186 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "18186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18186, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 18186, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:18186 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "18186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18186" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 22:58:46 UTC	TCP	18186 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:18186 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit/602.35 (KH… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18186 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit/602.35 (KHTML, like Gecko) Chrome/106.0.2032 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18186 User-Agent: Mozilla/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit/602.35 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18186 User-Agent: Mozilla/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit/602.35 (KHTML, like Gecko) Chrome/106.0.2032 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "b8afacb4d3987c1a92b15c7c175328e0d445c88f", "http_host_hash": "01d8e700b90009437a73bdf6ede39470141f91f0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.39932794721614, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 18186, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c2d993e5a6267c38e0f6f1ffa966e6fa7710a119", "event_fingerprint": "08c72238672741ba09cff2b3f8a7de4fd0c861aa", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "361fcb3fe9c53e5a5541ec46f0134ab2", "payload_hash": "f4478f62cfae5da187045b360c9b6a45", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 18186, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit\/602.35 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit\/602.35 (KHTML, like Gecko) Chrome\/106.0.2032 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit\/602.35 (KHTML, like Gecko) Chrome\/106.0.2032 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit\/602.35 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit\/602.35 (KHTML, like Gecko) Chrome\/106.0.2032 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit\/602.35 (KHTML, like Gecko) Chrome\/106.0.2032 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit\/602.35 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "75f9753235caaa8917db0841f9df207403154dd4", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit\/602.35 (KHTML, like Gecko) Chrome\/106.0.2032 Safari\/537.36", "port": 18186, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit\/602.35 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:18186 \u00b7 (tentative d'exploit)", "target_port_label": "18186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18186, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit\/602.35 (KHTML, like Gecko) Chrome\/106.0.2032 Safari\/537.36", "port": 18186, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:18186 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_1; Win64; x64) AppleWebKit\/602.35 (KHTML, like Gec", "target_port_label": "18186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18186" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 22:58:46 UTC	TCP	18186 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:18186 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18186 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:18186 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "01d8e700b90009437a73bdf6ede39470141f91f0", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.92286677360595, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 18186, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "69beff53f058fdaecb305c8371bdfabfd6797450", "event_fingerprint": "c66d810365cf07e3c04397a0bd4ea9f340df21f0", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "2960615ada9011986bdf7179b1959ef9", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 18186, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dac3208d0265b72a6fe7b79ef93e39750dbd5e85", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 18186, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:18186 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "18186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18186, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 18186, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:18186 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:18186\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "18186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18186" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 12:42:47 UTC	TCP	2280 · HTTP	http	http http · via HTTP:2280 · (sonde / probe) · → /favicon.ico	Moyenne	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2280 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « http » (signaux protocolaires) · confiance 58% Confiance classification 58% Risque capteur Faible · 35 Confiance : Confiance 58 % — Score WAF 8 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:2280 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "a87bb8454e8748b751ac67016a9ccded640eb511", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.9328038324686005, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2280, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "f19da4aa6e41d0c2a62e7f7980130b5e02111dfb", "event_fingerprint": "b202dd442d1271944b6a4da991a8fc07d49a9bb2", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "b13ef90028d6341fcc5bcd240a8b8e7c", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "service_name": "http", "target_context": { "dst_port": 2280, "service": "http", "service_name": "http", "risk_score": 35 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%" }, "classification_reason": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%", "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "confidence": 0.58, "classification_confidence": 0.58, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d5c882136cd2b9981cba40a089dd19ff3b76338", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2280, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "http \u00b7 via HTTP:2280 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "2280 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 58 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%", "classification_reason_label_fr": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2280, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2280, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http \u00b7 via HTTP:2280 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "2280 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 58 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2280" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 12:42:47 UTC	TCP	2280 · HTTP	http	http http · via HTTP:2280 · (sonde / probe) · → /sitemap.xml	Moyenne	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2280 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « http » (signaux protocolaires) · confiance 58% Confiance classification 58% Risque capteur Faible · 35 Confiance : Confiance 58 % — Score WAF 8 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:2280 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "a87bb8454e8748b751ac67016a9ccded640eb511", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.976405122733072, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2280, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "f19da4aa6e41d0c2a62e7f7980130b5e02111dfb", "event_fingerprint": "bc95516966d8e947071b080d7d64bf439f66afc1", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "093d8a698d3d2b66e9bd3c079da9fe04", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "service_name": "http", "target_context": { "dst_port": 2280, "service": "http", "service_name": "http", "risk_score": 35 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%" }, "classification_reason": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%", "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "confidence": 0.58, "classification_confidence": 0.58, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d9f8d083386aad3fc7b97abe7010907f78bb8c03", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2280, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "http \u00b7 via HTTP:2280 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "2280 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 58 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%", "classification_reason_label_fr": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2280, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2280, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http \u00b7 via HTTP:2280 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "2280 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 58 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2280" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 12:42:47 UTC	TCP	2280 · HTTP	http	http http · via HTTP:2280 · (sonde / probe) · → /robots.txt	Moyenne	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2280 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « http » (signaux protocolaires) · confiance 58% Confiance classification 58% Risque capteur Faible · 35 Confiance : Confiance 58 % — Score WAF 8 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:2280 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "a87bb8454e8748b751ac67016a9ccded640eb511", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.917237237328839, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2280, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "f19da4aa6e41d0c2a62e7f7980130b5e02111dfb", "event_fingerprint": "dad4000bf1e546d9ca247cb3875748c82b1affb9", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "7760a0a1bc8311a58210f95be9eec775", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "service_name": "http", "target_context": { "dst_port": 2280, "service": "http", "service_name": "http", "risk_score": 35 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%" }, "classification_reason": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%", "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "confidence": 0.58, "classification_confidence": 0.58, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "71f7530bb5611fccf0946bdca907606895ce2aca", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2280, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "http \u00b7 via HTTP:2280 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "2280 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 58 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%", "classification_reason_label_fr": "Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2280, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2280, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http \u00b7 via HTTP:2280 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "2280 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 58 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2280" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 12:42:46 UTC	TCP	2280 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:2280 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit/539.5… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2280 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit/539.55 (KHTML, like Gecko) Chrome/102.0.1067 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2280 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit/539.55 (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2280 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit/539.55 (KHTML, like Gecko) Chrome/102.0.1067 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "4f187ed385f1145bd3db894c3f7371def7c9012c", "http_host_hash": "a87bb8454e8748b751ac67016a9ccded640eb511", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 213, "payload_entropy": 5.384456302149837, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2280, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "236f628397965445ddca259e40e1963483b35d05", "event_fingerprint": "ba9c974bdf4ae438bc9c9f4035a03317c662e4e5", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ed18338e5de93a8a9b295a23be0cacc7", "payload_hash": "197b3cbb23c35bd2f727105ed7e93e5d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2280, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit\/539.55 (KHTML, like", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit\/539.55 (KHTML, like Gecko) Chrome\/102.0.1067 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit\/539.55 (KHTML, like Gecko) Chrome\/102.0.1067 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit\/539.55 (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit\/539.55 (KHTML, like Gecko) Chrome\/102.0.1067 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit\/539.55 (KHTML, like Gecko) Chrome\/102.0.1067 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit\/539.55 (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44912a82360ebe51b3ff6f5c2872b35d2001f145", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit\/539.55 (KHTML, like Gecko) Chrome\/102.0.1067 Safari\/537.36", "port": 2280, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit\/539.55 (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:2280 \u00b7 (tentative d'exploit)", "target_port_label": "2280 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2280, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit\/539.55 (KHTML, like Gecko) Chrome\/102.0.1067 Safari\/537.36", "port": 2280, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:2280 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2280\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_1) AppleWebKit\/539.55 (KHTML, like", "target_port_label": "2280 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2280" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 96 }
15/06/2026 12:42:42 UTC	TCP	6044 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:6044 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6044 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:6044 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "900e55c66fb6137a19a58548cda5a4c5bc2f0214", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.982396293385163, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 6044, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "46991468bf0c1e87d577d8adaf6e18e111dde3fb", "event_fingerprint": "8f1f50b1d2e933bcc0c52abf5b19cc74297909a7", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "672609c3a88bd1a513722ff613745247", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 6044, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3924bb2430a8b801ae0aac10d0e03bf1bf656f6d", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6044, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:6044 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "6044 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6044, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6044, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:6044 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "6044 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6044" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 12:42:42 UTC	TCP	6044 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:6044 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6044 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:6044 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "900e55c66fb6137a19a58548cda5a4c5bc2f0214", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.923276337346147, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 6044, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "46991468bf0c1e87d577d8adaf6e18e111dde3fb", "event_fingerprint": "2f0779455bfe7a02551819567d33f8333ae4c10a", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "b234dc81b88c3c6729f8797d07ef4eda", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 6044, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0d0bf0bfc0e9cdbe209ff95b3dae51ed582e9bb4", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6044, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:6044 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "6044 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6044, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6044, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:6044 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "6044 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6044" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 12:42:41 UTC	TCP	6044 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:6044 · (tentative d'exploit)	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit/589.4… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6044 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit/589.46 (KHTML, like Gecko) Chrome/70.0.2227 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6044 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit/589.46 (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6044 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit/589.46 (KHTML, like Gecko) Chrome/70.0.2227 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d43359f78dbcd946b2d9df505e715990845c5d1b", "http_host_hash": "900e55c66fb6137a19a58548cda5a4c5bc2f0214", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.414999255300463, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 6044, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "99c414676231f64cd310aa63ed9cc5f3f0bbd1ed", "event_fingerprint": "77afee043a9528cebfab44ef305b232d77d70f12", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2109195ace9842e268347605f3bc2359", "payload_hash": "4ff773d5568a608b92ef756bd1937b1d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 6044, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit\/589.46 (KHTML, like", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit\/589.46 (KHTML, like Gecko) Chrome\/70.0.2227 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit\/589.46 (KHTML, like Gecko) Chrome\/70.0.2227 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit\/589.46 (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit\/589.46 (KHTML, like Gecko) Chrome\/70.0.2227 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit\/589.46 (KHTML, like Gecko) Chrome\/70.0.2227 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit\/589.46 (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c090436b6f0ba177e68fd835e3cf4b5d295d1de2", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit\/589.46 (KHTML, like Gecko) Chrome\/70.0.2227 Safari\/537.36", "port": 6044, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit\/589.46 (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:6044 \u00b7 (tentative d'exploit)", "target_port_label": "6044 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6044, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit\/589.46 (KHTML, like Gecko) Chrome\/70.0.2227 Safari\/537.36", "port": 6044, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:6044 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_2_2) AppleWebKit\/589.46 (KHTML, like", "target_port_label": "6044 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6044" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 12:42:41 UTC	TCP	6044 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:6044 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6044 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:6044 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "900e55c66fb6137a19a58548cda5a4c5bc2f0214", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.938795003120691, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 6044, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "46991468bf0c1e87d577d8adaf6e18e111dde3fb", "event_fingerprint": "77691027c2825824fa7ae87df77536509e59df0a", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "9b843501bf56f23bd31ea3bb8838528c", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 6044, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d54a9b647c4ba4c675c9c4e558bd8920342c470e", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6044, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:6044 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "6044 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6044, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6044, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:6044 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6044\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "6044 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6044" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 10:31:53 UTC	TCP	1865 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1865 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1865 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:1865 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "db3e4327e8cdaafafe6d8c8a31e5ca19e3b53728", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.969621368984871, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1865, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "bf36b535dc266c739bec1c2845cf2531e827a7b4", "event_fingerprint": "8ee239f377352b5c3f423e5d07eeeadfed29912c", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "d7d4cf2d50fea2c1a81725cf660410fe", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 1865, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1865\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1865\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1865\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1865\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1865\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "124d605c902e4b0e7083b9184e9dc7166726ba6e", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1865, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1865\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1865 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "1865 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1865, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1865, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1865 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1865\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1865 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1865" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }

152.32.215.244

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence